From: Wietse Venema <wietse@porcupine.org>
Date: Sun, 23 Oct 2022 05:00:00 +0000 (-0500)
Subject: postfix-3.8-20221023
X-Git-Tag: v3.8.0-RC1~16
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f54d4f0f183d7596d310932118a98490956eb7ba;p=thirdparty%2Fpostfix.git

postfix-3.8-20221023
---

diff --git a/postfix/HISTORY b/postfix/HISTORY
index a13c08923..3869bfde5 100644
--- a/postfix/HISTORY
+++ b/postfix/HISTORY
@@ -26635,3 +26635,27 @@ Apologies for any names omitted.
 	pre-release-checks stop filters.  Files: RELEASE_NOTES,
 	HISTORY, stop.spell-history, stop.double-history,
 	stop.spell-proto-html, postqueue.1, postqueue.1.html.
+
+20221008
+
+	Cleanup: in the default master.cf file, unconditionally
+	enable header rewriting and missing header insertion, for
+	the submission and smtps services. Dan Mahoney. File
+	conf/master.cf.
+
+20221017
+
+	Robustness: unconditionally disable a CPU resource attack
+	requesting TLS renegotiation. There's no good reason to
+	support this in the middle of an SMTP connection. Viktor
+	Dukhovni. File: tls/tls_misc.c.
+
+20221023
+
+	Documentation: describe limitations of smtpd(8) features
+	that cannot work with smtpd_proxy_filter. File:
+	proto/SMTPD_PROXY_README.html.
+
+	Documentation: the local_header_rewrite_clients and
+	remote_header_rewrite_domain features also enable adding
+	missing headers. File: proto/postconf.proto.
diff --git a/postfix/README_FILES/SMTPD_PROXY_README b/postfix/README_FILES/SMTPD_PROXY_README
index a3707ea4c..2b0dd9143 100644
--- a/postfix/README_FILES/SMTPD_PROXY_README
+++ b/postfix/README_FILES/SMTPD_PROXY_README
@@ -71,6 +71,25 @@ PPrrooss aanndd ccoonnss ooff bbeeffoorree--qquueeuuee
     sender (which is usually forged anyway). Mail that is not accepted remains
     the responsibility of the remote SMTP client.
 
+  * Con: The smtpd(8) service before the smtpd_proxy_filter cannot support
+    features that involve header or body access, or that involve queue file
+    manipulation (i.e., anything that involves processing by the cleanup(8)
+    service).
+
+      o No support for HOLD actions in Postfix smtpd access(5) restrictions.
+
+      o No support for smtpd_milters features that involve message header or
+        body content.
+
+      o No support for receive_override_options.
+
+    Instead, specify those features with the smtpd(8) service behind the
+    smtpd_proxy_filter. In some cases, it may be possible to combine a before-
+    filter PREPEND action that emits a unique pattern (for example containing
+    the MTA domain name), with an after-filter header_checks action that does
+    what you want, and with an smtp_header_checks IGNORE action that deletes
+    the prepended header from transit mail.
+
   * Con: The remote SMTP client expects an SMTP reply within a deadline. As the
     system load increases, fewer and fewer CPU cycles remain available to
     answer within the deadline, and eventually you either have to stop
diff --git a/postfix/RELEASE_NOTES b/postfix/RELEASE_NOTES
index bc098908b..00876604d 100644
--- a/postfix/RELEASE_NOTES
+++ b/postfix/RELEASE_NOTES
@@ -28,22 +28,21 @@ comfortable with the IPL can continue with that license.
 Bugfix for messages not delivered after "warning: Unexpected record type 'X'
 ============================================================================
 
-Due to a bug introduced in Postfix 3.7, a message could falsely
+Due to a bug introduced in Postfix 3.7.0, a message could falsely
 be flagged as corrupt with "warning: Unexpected record type 'X'".
 
 Such messages were moved to the "corrupt" queue directory, where
 they may still be found. See below for instructions to deal with
 these falsely flagged messages.
 
-This could happen for messages with 5000 or more recipients, or
-with fewer recipients on a busy mail server. The problem was first 
-reported by Frank Brendel, reproduced by John Alex. 
+This problem could happen for messages with 5000 or more recipients,
+or with fewer recipients on a busy mail server. The problem was
+first reported by Frank Brendel, and the error conditions were
+reproduced by John Alex.
 
-A file in the "corrupt" queue directory may be inspected with the
-command "postcat /var/spool/postfix/corrupt/<filename>. If delivery
-of the file is still desired, the file can be moved back to
-/var/spool/postfix/incoming after updating Postfix and executing
-"postfix reload".
+Please see https://www.postfix.org/announcements/postfix-3.7.3 for
+instructions to identify falsely flagged messages in the Postfix
+queue, and what actions may be taken.
 
 Incompatible changes with snapshot 20220507
 ===========================================
diff --git a/postfix/WISHLIST b/postfix/WISHLIST
index 6a736d434..1b2464a51 100644
--- a/postfix/WISHLIST
+++ b/postfix/WISHLIST
@@ -9,6 +9,14 @@ Wish list:
 	Scan Postfix code with github.com/googleprojectzero/weggli
 	(depends on "rust").
 
+	Consider renaming local_header_rewrite_clients to
+	local_header_canonicalize_clients, as a more accurate name.
+	Optionally support "local_header_canonicalize_classes =
+	rewrite_addresses, add_missing_headers" (default setting).
+
+	And ditto for remote_header_rewrite_domain, whether it
+	should rewrite address, add missing headers, or both.
+
 	Migrate masquerade_domains from ARGV to STRING_LIST, or
 	deprecate this feature because it breaks table-driven address
 	validation.
diff --git a/postfix/conf/master.cf b/postfix/conf/master.cf
index 83fc6fdf7..fd282dd29 100644
--- a/postfix/conf/master.cf
+++ b/postfix/conf/master.cf
@@ -21,6 +21,7 @@ smtp      inet  n       -       n       -       -       smtpd
 #  -o smtpd_tls_security_level=encrypt
 #  -o smtpd_sasl_auth_enable=yes
 #  -o smtpd_tls_auth_only=yes
+#  -o local_header_rewrite_clients=static:all
 #  -o smtpd_reject_unlisted_recipient=no
 #     Instead of specifying complex smtpd_<xxx>_restrictions here,
 #     specify "smtpd_<xxx>_restrictions=$mua_<xxx>_restrictions"
@@ -38,6 +39,7 @@ smtp      inet  n       -       n       -       -       smtpd
 #  -o syslog_name=postfix/submissions
 #  -o smtpd_tls_wrappermode=yes
 #  -o smtpd_sasl_auth_enable=yes
+#  -o local_header_rewrite_clients=static:all
 #  -o smtpd_reject_unlisted_recipient=no
 #     Instead of specifying complex smtpd_<xxx>_restrictions here,
 #     specify "smtpd_<xxx>_restrictions=$mua_<xxx>_restrictions"
diff --git a/postfix/html/SMTPD_PROXY_README.html b/postfix/html/SMTPD_PROXY_README.html
index 9e90ed103..b6f29f885 100644
--- a/postfix/html/SMTPD_PROXY_README.html
+++ b/postfix/html/SMTPD_PROXY_README.html
@@ -158,6 +158,31 @@ mail back to the sender (which is usually forged anyway).  Mail
 that is not accepted remains the responsibility of the remote SMTP
 client. </p>
 
+<li> <p> Con: The <a href="smtpd.8.html">smtpd(8)</a> service before the <a href="postconf.5.html#smtpd_proxy_filter">smtpd_proxy_filter</a>
+cannot support features that involve header or body access, or that
+involve queue file manipulation (i.e., anything that involves
+processing by the <a href="cleanup.8.html">cleanup(8)</a> service). </p>
+
+<ul>
+
+<li> <p> No support for HOLD actions in Postfix smtpd <a href="access.5.html">access(5)</a>
+restrictions. </p>
+
+<li> <p> No support for <a href="postconf.5.html#smtpd_milters">smtpd_milters</a> features that involve message
+header or body content. </p>
+
+<li> <p> No support for <a href="postconf.5.html#receive_override_options">receive_override_options</a>.
+
+</ul>
+
+<p> Instead, specify those features with the <a href="smtpd.8.html">smtpd(8)</a> service behind
+the <a href="postconf.5.html#smtpd_proxy_filter">smtpd_proxy_filter</a>. In some cases, it may be possible to combine
+a before-filter PREPEND action that emits a unique pattern (for
+example containing the MTA domain name), with an after-filter
+<a href="postconf.5.html#header_checks">header_checks</a> action that does what you want, and with an
+<a href="postconf.5.html#smtp_header_checks">smtp_header_checks</a> IGNORE action that deletes the prepended header
+from transit mail. </p>
+
 <li> <p> Con: The remote SMTP client expects an SMTP reply within
 a deadline.  As the system load increases, fewer and fewer CPU
 cycles remain available to answer within the deadline, and eventually
diff --git a/postfix/html/postconf.5.html b/postfix/html/postconf.5.html
index 03f0ddba9..accd101b7 100644
--- a/postfix/html/postconf.5.html
+++ b/postfix/html/postconf.5.html
@@ -5902,17 +5902,17 @@ into concurrency per domain.  </p>
 <DT><b><a name="local_header_rewrite_clients">local_header_rewrite_clients</a>
 (default: <a href="postconf.5.html#permit_inet_interfaces">permit_inet_interfaces</a>)</b></DT><DD>
 
-<p> Rewrite message header addresses in mail from these clients and
-update incomplete addresses with the domain name in $<a href="postconf.5.html#myorigin">myorigin</a> or
-$<a href="postconf.5.html#mydomain">mydomain</a>; either don't rewrite message headers from other clients
-at all, or rewrite message headers and update incomplete addresses
-with the domain specified in the <a href="postconf.5.html#remote_header_rewrite_domain">remote_header_rewrite_domain</a>
-parameter.  </p>
+<p> Rewrite or add message headers in mail from these clients,
+updating incomplete addresses with the domain name in $<a href="postconf.5.html#myorigin">myorigin</a> or
+$<a href="postconf.5.html#mydomain">mydomain</a>, and adding missing headers. </p>
 
 <p> See the <a href="postconf.5.html#append_at_myorigin">append_at_myorigin</a> and <a href="postconf.5.html#append_dot_mydomain">append_dot_mydomain</a> parameters
 for details of how domain names are appended to incomplete addresses.
 </p>
 
+<p> See <a href="postconf.5.html#remote_header_rewrite_domain">remote_header_rewrite_domain</a> to optionally rewrite or add
+message headers in mail from other clients. </p>
+
 <p> Specify a list of zero or more of the following:  </p>
 
 <dl>
@@ -10182,9 +10182,13 @@ Examples:
 <DT><b><a name="remote_header_rewrite_domain">remote_header_rewrite_domain</a>
 (default: empty)</b></DT><DD>
 
-<p> Don't rewrite message headers from remote clients at all when
-this parameter is empty; otherwise, rewrite message headers and
-append the specified domain name to incomplete addresses.  The
+<p> Rewrite or add message headers in mail from remote clients if
+the <a href="postconf.5.html#remote_header_rewrite_domain">remote_header_rewrite_domain</a> parameter value is non-empty,
+updating incomplete addresses with the domain specified in the
+<a href="postconf.5.html#remote_header_rewrite_domain">remote_header_rewrite_domain</a> parameter, and adding missing headers.
+</p>
+
+<p> The
 <a href="postconf.5.html#local_header_rewrite_clients">local_header_rewrite_clients</a> parameter controls what clients Postfix
 considers local. </p>
 
diff --git a/postfix/man/man5/postconf.5 b/postfix/man/man5/postconf.5
index 289f0de88..b2f5fd493 100644
--- a/postfix/man/man5/postconf.5
+++ b/postfix/man/man5/postconf.5
@@ -3584,16 +3584,16 @@ Setting this parameter to a value > 1 changes the meaning of
 local_destination_concurrency_limit from concurrency per recipient
 into concurrency per domain.
 .SH local_header_rewrite_clients (default: permit_inet_interfaces)
-Rewrite message header addresses in mail from these clients and
-update incomplete addresses with the domain name in $myorigin or
-$mydomain; either don't rewrite message headers from other clients
-at all, or rewrite message headers and update incomplete addresses
-with the domain specified in the remote_header_rewrite_domain
-parameter.
+Rewrite or add message headers in mail from these clients,
+updating incomplete addresses with the domain name in $myorigin or
+$mydomain, and adding missing headers.
 .PP
 See the append_at_myorigin and append_dot_mydomain parameters
 for details of how domain names are appended to incomplete addresses.
 .PP
+See remote_header_rewrite_domain to optionally rewrite or add
+message headers in mail from other clients.
+.PP
 Specify a list of zero or more of the following:
 .IP "\fBpermit_inet_interfaces\fR"
 Append the domain name in $myorigin or $mydomain when the
@@ -6440,9 +6440,12 @@ relocated_maps = hash:/etc/postfix/relocated
 .ad
 .ft R
 .SH remote_header_rewrite_domain (default: empty)
-Don't rewrite message headers from remote clients at all when
-this parameter is empty; otherwise, rewrite message headers and
-append the specified domain name to incomplete addresses.  The
+Rewrite or add message headers in mail from remote clients if
+the remote_header_rewrite_domain parameter value is non\-empty,
+updating incomplete addresses with the domain specified in the
+remote_header_rewrite_domain parameter, and adding missing headers.
+.PP
+The
 local_header_rewrite_clients parameter controls what clients Postfix
 considers local.
 .PP
diff --git a/postfix/proto/SMTPD_PROXY_README.html b/postfix/proto/SMTPD_PROXY_README.html
index 710183b7b..3009fdbe8 100644
--- a/postfix/proto/SMTPD_PROXY_README.html
+++ b/postfix/proto/SMTPD_PROXY_README.html
@@ -158,6 +158,31 @@ mail back to the sender (which is usually forged anyway).  Mail
 that is not accepted remains the responsibility of the remote SMTP
 client. </p>
 
+<li> <p> Con: The smtpd(8) service before the smtpd_proxy_filter
+cannot support features that involve header or body access, or that
+involve queue file manipulation (i.e., anything that involves
+processing by the cleanup(8) service). </p>
+
+<ul>
+
+<li> <p> No support for HOLD actions in Postfix smtpd access(5)
+restrictions. </p>
+
+<li> <p> No support for smtpd_milters features that involve message
+header or body content. </p>
+
+<li> <p> No support for receive_override_options.
+
+</ul>
+
+<p> Instead, specify those features with the smtpd(8) service behind
+the smtpd_proxy_filter. In some cases, it may be possible to combine
+a before-filter PREPEND action that emits a unique pattern (for
+example containing the MTA domain name), with an after-filter
+header_checks action that does what you want, and with an
+smtp_header_checks IGNORE action that deletes the prepended header
+from transit mail. </p>
+
 <li> <p> Con: The remote SMTP client expects an SMTP reply within
 a deadline.  As the system load increases, fewer and fewer CPU
 cycles remain available to answer within the deadline, and eventually
diff --git a/postfix/proto/postconf.proto b/postfix/proto/postconf.proto
index 0f335eea9..07dca9f78 100644
--- a/postfix/proto/postconf.proto
+++ b/postfix/proto/postconf.proto
@@ -9358,9 +9358,13 @@ physical endpoints. </p>
 
 %PARAM remote_header_rewrite_domain 
 
-<p> Don't rewrite message headers from remote clients at all when
-this parameter is empty; otherwise, rewrite message headers and
-append the specified domain name to incomplete addresses.  The
+<p> Rewrite or add message headers in mail from remote clients if
+the remote_header_rewrite_domain parameter value is non-empty,
+updating incomplete addresses with the domain specified in the
+remote_header_rewrite_domain parameter, and adding missing headers.
+</p>
+
+<p> The
 local_header_rewrite_clients parameter controls what clients Postfix
 considers local. </p>
 
@@ -9387,17 +9391,17 @@ remote_header_rewrite_domain =
 
 %PARAM local_header_rewrite_clients permit_inet_interfaces
 
-<p> Rewrite message header addresses in mail from these clients and
-update incomplete addresses with the domain name in $myorigin or
-$mydomain; either don't rewrite message headers from other clients
-at all, or rewrite message headers and update incomplete addresses
-with the domain specified in the remote_header_rewrite_domain
-parameter.  </p>
+<p> Rewrite or add message headers in mail from these clients,
+updating incomplete addresses with the domain name in $myorigin or
+$mydomain, and adding missing headers. </p>
 
 <p> See the append_at_myorigin and append_dot_mydomain parameters
 for details of how domain names are appended to incomplete addresses.
 </p>
 
+<p> See remote_header_rewrite_domain to optionally rewrite or add
+message headers in mail from other clients. </p>
+
 <p> Specify a list of zero or more of the following:  </p>
 
 <dl>
diff --git a/postfix/proto/stop b/postfix/proto/stop
index d8ae00828..16a29cf21 100644
--- a/postfix/proto/stop
+++ b/postfix/proto/stop
@@ -1565,3 +1565,6 @@ raf
 fnvz
 hc
 mkmap
+Brendel
+Bugfix
+https
diff --git a/postfix/proto/stop.spell-history b/postfix/proto/stop.spell-history
index 52e25f413..20afd36a8 100644
--- a/postfix/proto/stop.spell-history
+++ b/postfix/proto/stop.spell-history
@@ -27,3 +27,5 @@ Spil
 Amma
 Jesper
 Pau
+Mahoney
+manpages
diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h
index 9faa28544..ec4268991 100644
--- a/postfix/src/global/mail_version.h
+++ b/postfix/src/global/mail_version.h
@@ -20,7 +20,7 @@
   * Patches change both the patchlevel and the release date. Snapshots have no
   * patchlevel; they change the release date only.
   */
-#define MAIL_RELEASE_DATE	"20221007"
+#define MAIL_RELEASE_DATE	"20221023"
 #define MAIL_VERSION_NUMBER	"3.8"
 
 #ifdef SNAPSHOT
diff --git a/postfix/src/tls/tls_misc.c b/postfix/src/tls/tls_misc.c
index d1685136b..361dae5bc 100644
--- a/postfix/src/tls/tls_misc.c
+++ b/postfix/src/tls/tls_misc.c
@@ -1369,6 +1369,12 @@ long    tls_bug_bits(void)
      * options just in case.
      */
     bits |= SSL_OP_SINGLE_ECDH_USE | SSL_OP_SINGLE_DH_USE;
+
+    /*
+     * Unconditionally disable a CPU resource attack. There's no good reason
+     * to enable TLS renegotiation in the middle of an SMTP connection.
+     */
+    bits |= SSL_OP_NO_RENEGOTIATION;
     return (bits);
 }